OISSg - issaf - Nist - wtf?

Where does one begin with "methodologies" and "frameworks"? There are many out there from smaller "in-house" methodologies to larger, what some consider "industry standard" methodologies, like IAM, OSSTMM or Nist. Understanding which should be used for your particular purpose is important because each has its own purpose, and its own strengths as well as weaknesses (i.e. WASC-TC is a threat classification methodology use for Web Applications so it is obviously not a good choice for someone performing the vulnerability assessment of a small business network, for example). The basic idea behind a methodology is for the tester to follow a pre-made format which dictates how they will run the test through the use of some step-by-step listing of sorts. Since not all methodologies are the same and because your client may have different needs there is never one "perfect" methodology, no matter what some may say. There is not, and never will be, a methodology which can claim to be 100% accurate in finding all security issues. Perfect security, or as close to perfection as we can get, is a tricky balancing act of security and controls. The confidentiality, integrity and availability of systems and users is, as always, of the utmost importance. Vulnerabilities and threats need to be found and remedied as soon as possible so that the likelihood of our systems being compromised is as low as possible without also lowering the usability of our systems. This likelihood of something bad happening, when the threats we face find the weaknesses and vulnerabilities which we are not aware of or ready for, is known as risk. The attack surface is our exposure to these risks and the lack of separations and controls in place for the systems in question. The safest thing to do is to identify possible risks and protect ourselves from the threats and the effects of these threats by reducing our attack surface without effecting operations, or the availability and usefulness of the products and/or services which we give the public. By performing an audit, vulnerability assessment or full-out penetration test we can identify said risks before a threat is evoked. In order to increase our security posture and reduce the attack surface and eliminate attack vectors we should perform assessments and pentests on a regular basis (or hire people who can). Of course these tests and audits are only a small part of a larger picture, they are only one of many security measures we can put into place in our overall defensive strategy.

The basic skeleton to which almost every methodology is built upon usually looks fairly similar and generally includes some form of a 3 stage process which includes a beginning stage where information is gathered, a medial stage which is where the penetration testing and exploitation actually happens and the final stage which is for cleaning up and documentation. These 3 stages are further split up and usually begin with some form of information gathering, both passive and active, and recon work. Next comes some type of enumeration and vulnerability mapping in which the tester will usually be actively scanning targets to find open ports, finding what OS is being used, what services are used on which ports and actually identifying and analyzing the vulnerabilities found within these services. Next the tester will begin the actual exploitation process. This medial stage can include everything from social engineering and simply deploying a "prepackaged" exploit by using a framework such as Metasploit all the way to more advanced topics such as reversing code, fuzzing and creating finding your own exploits. Privilege escalation is generally placed within this category as well. Next up is maintaining access, if the client wishes, cleaning up after yourself and removing your "fingerprints" and any trace that you were there. The final stage concerns the documentation and recording of the testers findings. There are quite a number of websites and books that will lay out this bare format for you to follow if you don't wish to lock-in to any specific methodology. One of the best explanations and lists can be found here.

Following a very basic, foundation system like the one outlined above is perfectly fine, most of the time I actually condone using a simple outline like this so you won't be tied down to a specific list to follow like a robot, adding to this skeletal outline as needed and thus being able to hop in to the mind of a malicious user much easier. However when you are in a work environment or within an environment which needs thorough documentation you should follow standard methodologies already tailored for specific jobs. Because these standard methodologies can be used to show that you are implementing some type of "industry standard" that has been successfully used by others before you and which may be in accordance with best practices and meets compliance efforts it is best to stick with these methodologies and frameworks when assessing and testing in a professional environment. Another reason why you may want to use these "industry standard" methodologies is because most are well documented and updated with new security trends and regulations. So now the question is which one should you use for your penetration tests? I will go through a few industry standard methodologies and point out the basic ideas they convey, which features each has and under what circumstances should one use them. Do not treat this post as a clear and definitive guide, it is not. Look at the websites and documentation for the mentioned methodologies and compare them yourself before stepping into one. Plus, keep in mind that the pentesting world is dynamic and can change at the drop of a dime so you should always check for updates or completely new frameworks to work within.

The 2 Frameworks that are the best documented and most suitable for professional environments are the ISSAF and OSSTMM:

OISSG: "Information Systems Security Assessment Framework."

The ISSAF is a highly structured and peer-reviewed methodology "that categorizes information system security assessment into various domains and details specific evaluation or testing criteria for each of these domains." The ISSAFramework was created by the Open Information Systems Security Group, a non-profit organization with a "vision to spread information security awareness by hosting an environment where security enthusiasts from all over the globe share and build knowledge." Because of the peer review process and graded risk analysis report it is a good choice to use in a professional environment and a great choice for beginners who are new to pentesting and need an idea of where to begin and to have something to outline what they should be doing during each step along the way. The ISSAF is very detailed and uses a field tested and proven engagement structure with supplemental mapping tools and "internal control questionnaires." Even if you choose to use a different methodology I believe that the sections for "Handling False Positives" should be read over and applied to every pentesters chosen methodology as it is, in my opinion, one of the best outlines for avoiding false positives/negatives out there. The framework itself can be found at the website of the OISSG itself.

OSSTMM: "Open Source Security Testing Methodology Manual."

"Security doesn't have to last forever; just longer than everyone else that might notice it's gone."

The OSSTMM is an incredibly rich methodology whose main advantage comes from its channeled system for security tests and metrics and the RAV (Risk Assessment Values) form which is used to estimate the actual security value of the test results. The RAV uses 3 factors to determine the risk one faces, these are operational security, loss controls and limitations. This RAV form is one of the best ways for a pentester or auditor to evaluate security metrics which is achieved by expounding upon the test results, extracting all the events and segments of the current security posture and then defining and rating them (known as the RAV score) to better protect those systems. The OSSTMM is also one of very few methodologies that addresses the human weakness and trust, as well as diving into physical and operational security. ISECOM also has the BIT, the "Business Integrity Testing" project which analyzes business process' and transactions giving a strategic insight into employees and helps with building new business plans. Another positive is the handy STAR template which is the "Security Test Audit Report" which formalizes the assessment report and is advantageous to management and maybe those who aren't so technical but still review the testing reports and assess the risks and outputs of each stage along the way. The OSSTMM methodology can be downloaded in .PDF format here.

Now that you have a basic idea as to what the term "methodology", have an understanding of the skeleton that forms a penetration test and have seen 2 of the more popular methodologies, you should be able to choose for yourself a methodology that is fitting for whatever your needs may be.

Microsoft security baseline analyzer.

We have already discussed Two-Factor Authentication in an earlier post and although this is just another addition to your security strategy it is mainly only a deterrent of the physical controls in which your system actually sits. Don't get me wrong though, this is important, because if we cannot control these physical environments than all the other controls which we put in place become null. If an attacker can have direct access to your machine by sitting down at a desk with it then he doesn't need to use any logical, technical steps to gain entry.

One of my personal favorite tools in dealing with certain logical aspects is Microsoft's own "Baseline Security Analyzer" (MBSA) which covers 2 of the more important techniques; updating/patching and protecting against default passwords and configurations that may still be in use. MBSA checks for available updates for the Windows OS itself, .NET Framework, Microsoft XML Parser, MDAC and SQL and IIS for servers, it then scans for possibly insecure configuration settings such as default passwords. MBSA uses Microsoft Update and the horribly named Windows Server Update Server (WSUS) to determine which patches are needed. All of this is obtained directly from the Microsoft Update website and in Wsusscn2.cab, an offline cache. MBSA has a very easy to use graphical interface that you can just slide right on through with ease, choosing what you need to do and getting to it. There is also a command line executable that you can use named Mbsacli.exe which can be found within the MBSA default installation directory at \Program Files\Microsoft Baseline Security Analyzer 2\. This is great for when you have SSH'd in to your workstation from your laptop at home, or into your IIS Server. The basic commands in the command line to check for updates (in the following example we are looking for updates in the OS itself, IIS and SQL Server updates, and MDAC), and patch them, and check for weak passwords on the box at 192.168.1.12 is the following:

mbsacli /target 192.168.1.12 /n os+iis+sql+mdac+password

You can use domain and host names instead of the IP Address and you can scan entire IP ranges (like 192.168.1.1 to 192.168.1.55, for example) by using the following command:

mbsacli /target 192.168.1.1-192.168.1.55 /n os+iis+sql+mdac+password

You should also make sure that all automated logins are disabled. This can be done by going to Start > Control Panel > Administrative Tools > Local Security Policy and selecting user names one by one and making sure there is a password set for each.

As a side bonus for SysAdmins MSBA can be combined with Visio by using the Microsoft Visio Connector for MSBA, link given below, and can be used to take inventory of your network. Using MSBA to scan your entire network will provide you with information on each machine including the OS, IP Address, and of course any non-updated/patched machine (listing the risks and color coding each node with red, yellow or green to indicate threat level). By linking these results through Visio we can easily come up with an inventory. With MSBA connected Visio automatically generates a graphical image of your network and displays the given information on each node when you click on it, as shown here:

simple and free two factor authentication in windows.

As of December 2012 Operating System statistics has Windows (XP/7/Vista/8) being used by 85.3% of Americans, Mac at 8.0% and our friend Linux/*BSD is at 4.7% (these stats are for personal home computers, not servers, military, enterprise, etc.) which has actually decreased since this time last year. The left over, small percentage is for people who strictly use their mobile devices. Even though a good number of the people who read this blog are Linux or *BSD users there are still many people who use Windows on a daily basis, my self included. As most people know Windows isn't the most secure of the Operating Systems, this is debatable due to the fact that most people who use Linux are more knowledgeable and aware of security issues and since Windows is used by so many people it has a higher threat level. As stated by Scotland Yard detective Steve Santorelli, "The way malware writers operate is very much like any legitimate business; there are R[eturn] O[n] I[nvestment] concerns and risk v.s. reward considerations, if you overlay sensible business considerations onto the criminal decision making process, it is clear that Windows malware will get you more ROI." But this post is not about which OS is more secure, as any OS is really just as secure as its operator, instead this post is about one of many different, small ways to harden your Windows machine for free.

Two Factor Authentication uses the 2 factors of "Something you know" and "Something you have". "Something you know" is a password, a passphrase, a PIN number or any item which you can remember. The second factor, "something you have", is generally based on a physical possession. An example of a two factor system would be the ATM machine at your local bank. You have to first slide your card, which is "something you have", and then enter you PIN which makes for the "something you know".

There are many companies like RSA who make a profit off of "keys" and "tokens". This is great and all but if you don't have the money to shell out for these tokens, which can run you roughly $300 at the low end, there are other suitable ways with just a thumb drive/USB stick. You can do this with "syskey", a "program" that comes with Windows so there is no need to download anything. We will be using syskey to require anyone signing on to your computer to enter the startup key each and every time the system boots (remember this isn't every time you login but rather every time your computer is booted up). This can be done in a few very simple steps:

1. Put a USB drive into your computer. Goto My Computer, or whatever your computer is named, then right click and choose Manage. Go down to Storage and Disk Management. Here you will see a list of disks, choose whatever you USB drive is under and right click, select Change Drive Letters And Path and choose the letter "A:" to represent your thumb drive. This is mandatory and you will see why in a few more steps.

2. Make sure you have Administrator privileges and click on your start menu and select Run then type in "syskey" and press Enter. If you are using Windows 8 just slide over to your sidebar panel and use the Search function to find "syskey", and select it (syskey.exe).

3. Click on Update to proceed to the following interface shown below. Select Store Startup Key on Floppy Disk. Go up to the Password Startup and enter your password, click OK.

4. A message should pop up that reads something about inserting your disk into Drive A:, which is why we changed the drive letter in step 1. If all is successful you will get a message that reads "The Account Database Startup Key was changed." You can now test this out by rebooting your computer. If you don't have your thumb drive in then your computer will prompt you to put it in, you will then get a message similar to the one shown below (this example was on an XP box), which is where you will need to enter your password.

Viola, you now have a Two Factor Authentication system in place. Keep track of that USB drive.

email security Basics: pretty good privacy.

While updating my public key block for this here site I started thinking about how many people I know who have actually used my PGP key. Outside of a handful of IRC friends I can't think of one person. I understand that to the non-savvy encryption standards and security practices may seem like a foreign language and the way people have been teaching these ideas hasn't helped much.

Many people I know use webmail services such as Gmail provided by Google or MSN/Microsoft's Hotmail service. I have heard some sites and people refer to these as "secure", some even toss in the word "encrypted". It is true that sites such as Gmail (which will be the main example) use SSL/TLS to secure your connection to their website (all Google sites do this, in fact), however, the emails themselves do not enjoy this security. Protocols like SSL only secure your connection to the site itself, so for instance, when you log in to your email account your actual login credentials, such as your username and password, do stay encrypted. Gmail also keeps your stored emails encrypted for as long as they are on Gmail servers. This is all fine but what happens with emails in route, what about data that is actually being transferred from one account to another? This is not encrypted in any way and this is where PGP (Pretty Good Privacy) comes in (if you use Gmail and Google Chrome there is an encryption extension that you can download know as "SafeMail", the link to which is given at the end of this post), or for the FOSS crowd there is PGP's little brother, GPG or GNU Privacy Guard which is basically open source PGP under the GPL license.

The basics of any Public Key Cryptography, such as that which PGP uses, is pretty simple. When you first run PGP you will generate 2 separate keys which by default will use the Diffie-Hellman/DSS algorithm although this can be changed the default DH/DSS should work just fine for new users. One key is known as the "Public Key" and the other is called a "Private Key". The Public Key is, as per its name, public. This means that you can share this key, for PGP to even work effectively you have to distribute this key freely among the email contacts you wish to share encrypted emails with. The other key, our "Private Key", should only be seen by your eyes. When you encrypt a message to someone you use their Public Key to do so (this is why you need to distribute and share your Public Keys, anyone who wants to email you will need to use your Public Key to do so), a Public Key may only be used to "lock" or encrypt a file, it cannot be used to unlock one. In order to decrypt, or unlock, a message the receiver must use their own Private Key. This is why your Private Key should only be seen by you and your Public Key should be given out. This two key system is incredibly simple and very effective from a privacy perspective and has proven itself in use for decades, being used up through both World Wars (a call and response type method was used in the American Army).

To break this idea down one more time, let's say that Alice wants to send Bob an encrypted email. Alice would first have to have Bobs Public Key, which she would use to encrypt the data, once Bob receives this email he then uses his Private Key to unlock it. If Bob wants to email Alice back he must have her Public Key which he uses to encrypt, or lock the file, and when she receives the email she uses her Private Key to read it.

By way of a signature and identity certificate these keys also act as a form of authentication and non-repudiation as well. Authentication makes it possible for the receiver to identify that the origin of the email is from the person it says it is. This signature by its existence also demonstrates non-repudiation which simply means that the author of an email cannot deny sending that email. These identity certificates use a "web of trust" model which means that a given public key can be signed by a third party, known as an "introducer", to attest to the association of a person and their key. This web of trust protocol was first described by PGP creator Phil Zimmerman in the user manual for PGP v2.0:

"As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys."

PGP also demonstrates proof of data integrity which is exactly what it sounds like, the ability to check if the data in the email has been altered in any way after it was completed and sent by its author. To use an analogy, if you were to send a letter in the mail and someone from the post office was to open it up and insert their own messages before resealing it and sending it back out to the recipient, this would be an example of loss of integrity. The person who receives the message will get the edited version written by the post office employee. However, if you were to write your letter in some form of a code that only you and the receiver knew then the post office employee's inserted information, since not conforming to this code, would be out of place and easily identifiable as a breach of data integrity.

The world isn't a nice place, and the internet is an even worse place so if you use email at all I highly suggest keeping it as secure as possible. You wouldn't want just anyone to read the letters, bank statements, insurance information, etc. which you receive in your mail box every day so why would you let them do it over the internet?